Skip to content

Improve LDAP password management #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adambarreiro merged 6 commits into from
Mar 21, 2025
Merged

Improve LDAP password management #65

adambarreiro merged 6 commits into from
Mar 21, 2025

Conversation

@adambarreiro
Copy link
Contributor

@adambarreiro adambarreiro commented Mar 21, 2025
edited
Loading

Before the changes implemented in this PR, users were forced to include a block in their vcfa_provider_ldap or vcfa_org_ldap definitions:

lifecycle {
    ignore_changes = [password]
}

With these changes, this requirement is no more. The idea is to save the LDAP password as the user provides it on create/update, ignoring the backend in this case (which never returns it). On reads, we just recover the value from state.

If the password is changed, the mechanism works exactly the same, so it detects password changes as normal.

Acceptance tests:

go test -tags functional -run '^TestAcc.*Ldap' -v -timeout 0

Manual checks:

  • Create vcfa_provider_ldap and vcfa_org_ldap HCL blocks. Apply as usual without any lifecycle meta-argument.
  • Run terraform plan. No updates-in-place should be reported.
  • Update the password to a dumb one that does not work. It should report the update-in-place and apply.
  • In UI, try to Sync ("Sync" button). Task should fail.
  • Try to revert back to correct password. It should report the update-in-place and apply.
  • In UI, try to Sync ("Sync" button). Task should finish OK.
  • Destroy

abarreiro added 3 commits March 21, 2025 11:29
Improve LDAP password management
02993c6 
Signed-off-by: abarreiro <[email protected]>
#
fddd301 
Signed-off-by: abarreiro <[email protected]>
Fix, tests pass
b6ab74d 
Signed-off-by: abarreiro <[email protected]>
@adambarreiro adambarreiro self-assigned this Mar 21, 2025
self-review
acb439f 
Signed-off-by: abarreiro <[email protected]>
adambarreiro
adambarreiro commented Mar 21, 2025
View reviewed changes
@adambarreiro adambarreiro marked this pull request as ready for review March 21, 2025 10:57
lvirbalas
lvirbalas approved these changes Mar 21, 2025
View reviewed changes
Copy link

@lvirbalas lvirbalas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Tried and can confirm that I'm NOT getting that action anymore:

 # vcfa_org_ldap.my-org-ldap will be updated in-place
  ~ resource "vcfa_org_ldap" "my-org-ldap" {
        id                     = "urn:vcloud:org:ab8f618c-2f8f-4424-9c13-7db2a9051304"
        # (4 unchanged attributes hidden)

      ~ custom_settings {
          + password                = (sensitive value)
            # (7 unchanged attributes hidden)

            # (2 unchanged blocks hidden)
        }
    }

Didainius
Didainius approved these changes Mar 21, 2025
View reviewed changes
Copy link
Contributor

@Didainius Didainius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great improvement!

@adambarreiro adambarreiro merged commit b9a7aac into vmware:main Mar 21, 2025
3 checks passed
@adambarreiro adambarreiro deleted the improve-ldap-2 branch March 21, 2025 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@lvirbalas lvirbalas lvirbalas approved these changes

@Didainius Didainius Didainius approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@adambarreiro adambarreiro

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adambarreiro @lvirbalas @Didainius